Critical software security vulnerabilities have emerged across major platforms, raising alarms for users everywhere. Adobe has patched a high-severity vulnerability affecting its ColdFusion platform, alongside the discovery of several serious flaws across popular WordPress plugins.
Adobe's vulnerability, tracked as CVE-2024-53961, is characterized as a path traversal flaw found within ColdFusion versions 2021 and 2023. Rated with a severity score of 7.4, this issue allows attackers to exploit it for unauthorized access to files or directories outside the designated restricted areas. According to the National Institute of Standards and Technology (NIST), "An attacker could exploit this vulnerability to access files or directories... outside of the restricted directory set by the application." With proof-of-concept code already available, Adobe has issued urgent recommendations for users to patch this vulnerability as quickly as possible.
Adobe has classed CVE-2024-53961 with the "Priority 1" severity rating, signifying it carries a heightened risk of exploitation. The company urged users to apply the patches for ColdFusion 2021 (Update 18) and ColdFusion 2023 (Update 12) within 72 hours. Although there haven't been reports of exploitation going on right now, the existence of this proof-of-concept has sparked fears among cybersecurity experts about potential attacks by cybercriminals, who often target popular software flaws.
Simultaneously, Patchstack, a WordPress cybersecurity platform, reported 18 vulnerabilities across two popular plugins—WPLMS and VibeBP, developed by VibeThemes. Notably, many of these vulnerabilities have been deemed as having severe consequences. So much so, one vulnerability, identified as CVE-2024-56046, received the maximum severity score of 10 out of 10, allowing attackers to upload arbitrary files without authentication, which could result in remote code execution (RCE).
“...18 vulnerabilities, most of which were deemed...critical,” stated Patchstack, emphasizing the risks involved. The vulnerabilities present grave dangers as they include capabilities for remote, unauthenticated attackers to execute code, escalate privileges, steal sensitive information, and manipulate websites. Users are highly encouraged to upgrade their WPLMS plugin to version 1.9.9.5.3 or newer and VibeBP to version 1.9.9.7.7 or newer to mitigate any risks.
Given the ever-evolving cyber threat environment, knowing how to safely navigate plugin security cannot be overstated. For WordPress users, best practices include enforcing secure file uploads, sanitizing SQL queries, and maintaining role-based access controls to safeguard their websites against potential hacks. Keeping plugins up to date is one of the most effective measures users can take to defend against exploits and vulnerabilities.
With both Adobe and WordPress platforms issuing alarms, it’s clear the imperative to patch and update for the sake of cybersecurity cannot be ignored. Users of both ColdFusion and WordPress plugins must remain diligent—uploading patches and employing security best practices can mean the difference between remaining secure and falling victim to malicious attacks.
